[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Negotiate Authentication Broken with Subversion 1.3.0

From: Samay <getafix123_at_hotmail.com>
Date: 2006-04-20 14:41:07 CEST

G'day,

IMO following is probably a bug/Limitation wrt Neon's SPNEGO feature. Recipe
to reproduce is provided below (some bits from Orig Poster)

If you need more details, feel free to ask. Any suggested work arounds?

regards

Shirish

>>
The SVN Server
--------
OS: Gentoo
URL: https://svn.my.realm/repos/
mit-krb5-1.4.3
apache2 2.0.55
subversion 1.3.1 (mod_dav_svn, svnAuthz)
mod-auth-kerb 5.0-rc7 + workaround for the 'request is replay' issue with
mit-krb5 1.4.3

    AuthType Kerberos
    KrbAuthRealms MY.REALM
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Krb5Keytab keytab_file
    require valid-user

Linux Terminal Server 2
-----------------------
OS: Gentoo
mit-krb5 1.4.3
Subversion 1.3.1 + neon 0.25.5

Client 1
--------
OS: Windows XP SP2 (member of MY.REALM domain)
SVN 1.3.1 with Neon 0.25.5

Client 2
--------
The subversion client on server 2 in a terminal session
>>

Client 1 .. works fine.
Client 2 .. Firefox works, SVN doesnt for the same SVN repo URL. following
steps

1. Firefox --> about:config --> config string
"network.negotiate-auth.trusted-uris" set to https://.my.realm ... close
firefox
2. kinit myuser@MY.REALM
3. Firefox https://svn.my.realm/repos .... works fine.
4. kinit -R (renews the ticket)
5. someuser@server2 ~/repos $ svn up
svn: PROPFIND request failed on '/repos'
svn: PROPFIND of '/repos': authorization failed (https://svn.my.realm)

Certainly not a server side issue as firefox works just fine with correct
authenticated access. Expected behavior for SVN client is to use the
existing already issued krb ticket from MY.REALM for Authentication and
fulfill the request.

<<>>original posted message
http://svn.haxx.se/users/archive-2006-02/1010.shtml

From: Patrick Ryan <tigris_at_pryan.org>
Date: 2006-02-23 02:44:39 CET

Hello,

I've got two servers both hosting repositories. I'm using Apache2
mod_auth_kerb to authenticate to an Active Directory server. When I
turn off kerberos password authentication to force the use of Negotiate
authentication, both Subversion and Firefox fail to authenticate, but IE
works with Negotiate authentication against the server. Both Subversion
and Firefox fail without even prompting for credentials.

The client is choosing kerberos password authentication, but when I
force Negotiate authentication, neither Subversion nor Firefox work. I
expect Firefox to break, but not Neon 0.25.4 that's included with
Subversion 1.3.0. The error message appears to be the same in either
case (401 in the Apache logs):

[pryan@svn sandbox]$ svn ci
svn: Commit failed (details follow):
svn: MKACTIVITY of
'/svn/sandbox/!svn/act/16c1adf6-6b0d-0410-9322-c1268cc03508': authorization
failed (http://pledge.my.realm)
svn: Your commit message was left in a temporary file:
svn: '/home/pryan/pledge/sandbox/svn-commit.tmp'
[pryan@svn sandbox]$

Apache2 mod_auth_kerb working config:

    AuthType Kerberos
    KrbAuthRealms MY.REALM
    Krb5Keytab keytab_file

Apache2 mod_auth_kerb broken config:

    AuthType Kerberos
    KrbAuthRealms MY.REALM
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Krb5Keytab keytab_file

Server 1
--------
OS: Debian sid
Debian subversion 1.2.3dfsg1-3
Debian apache2 2.0.55-4
Debian libapache-mod-auth-kerb 4.996-5.0-rc6-3

Server 2
--------
OS: Red Hat Enterprise Linux WS 3u5
RHEL Apache2 httpd-2.0.46-46.ent
Subversion 1.3.0
mod_auth_kerb 5.0rc6

Client 1
--------
OS: Windows XP SP2
TortoiseSVN 1.3.1 (subversion 1.3.0 with neon 0.25.4)

Client 2
--------
The subversion client from server 2.

Any ideas what's wrong with my setup?

Thanks,
Patrick

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Apr 20 14:42:36 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.